User input passed through the "customicon" when creating a new course is not properly sanitized before being uploaded into the /content/ directory. This could be exploited to upload and execute arbitrary PHP code. Successful exploitation of this vulnerability requires an account with permissions to create new courses.